Having a Linux system automatically log in to a graphical program on boot is surprisingly difficult. Common solutions involve setting up a display manager with custom configuration and it gets messier from there. Fortunately there is a better way, xlogin uses systemd to launch X for a given user.

The developer describes it as a stop-gap workaround but after four years it is still a leading solution. xlogin consists of two systemd services, a launching wrapper script, and a xinitrc config tweak. If it is a hack it is a very elegant one, the four files together come to just forty lines (31 if you remove comments and whitespace).

Unfortunately it’s not packaged for Debian, while shovelling some files on to the disk works as a short term measure in the long run I really need it to be packaged, it greatly helps the image generation and allows long term maintenance. So I prepared a quick ugly package. It currently has some issues that like bad source package generation don’t impact me but need to be fixed, I’ll clean it up and look and submitting it in a few weeks.

Package Managing

To feed the packages in to multistrap requires a Debian repository. Fundamentally this is a http or ftp directory tree with a few specially formatted files. There are a plethora of tools to assist creating this but as is common when there are lots of tools doing the same job, none of them stand out as been considerably better than the others. I chose to use reprepro, it isn’t easy to set up but blindly following online guides worked for me.

Keyring Managing

Debian signs all of it’s packages as a basic assurance measure. The Debian tools take some convincing to run unsigned packages so it is easier when building your own packages to sign them too.

Signing is the easy half. You generate a gpg key, feed it to reprepro and it signs all the packages it delivers.

Where things get a bit more complex is getting the public key in to the client computer so that it can verify the key. The quick solution is to push the key in to apt-key when generating the image. This works but is difficult to maintain.

The more complete solution, which Debian uses for it’s own packages, is to create a keyring containing all the valid keys. This keyring is then packaged and distributed through the package management system. Structuring it this ways allows keys to be added or revoked as required by pushing a package update. Doubling down the complexity, managing the keyring package is a cluster of programs called jetring which provide tracability of changes.

I built my own keyring package, lodlabs-keyring based on debian-archive-keyring which I distribute through my development package manager. With this setup I can feed multistrap custom packages at will.

A quick note, using this technique multistrap must be able to acquire the keyring package itself. So the image generating machine must tie apt in to the private repository and have the keyring installed.

Creating your own keyring package

For a very small simple package creating your own keyring is a bit of work.

For starters, you need the basics:

apt-get build-depends debian-archive-keyring
apt-get source debian-archive-keyring

The debian-archive-keyring has a few directories:

  • keyrings:
    This contains the generated keyrings, the end products. They are created by the Makefile.
  • active-keys, removed-keys, team-members:
    Each of these directories contains a collection of keys.
    The keys are of a custom file format, generated by jetring from a gpg key.
    Instructions for creating a key are in README.maintainer.
    There is also an index file with a checksum for each key, this can be generated by jetring-accept.
    Finally there is an index.gpg file which signs the index, this can be generated by jetring-signindex.

    • active-keys:
      This keyring is used to verify the archive packages and is distributed in the generated package.
    • removed-keys:
      This keyring is used to revoke previous active keys and is distributed in the generated package.
    • team-members:
      This keyring is used by the package generation to verify the active and removed keyrings. It is not distributed outside the package.

To proceed you are going to need two gpg keys, you con probably use the same key twice but it wouldn’t be advisable. I generated two different subkeys following the instructions here. The active subkey is the one used to set up reprepro and sign your packages. The team subkey is your personal signing key.

Push the personal key into the team keychain, then the reprepro key into the active keychain by following the instructions in debian-archive-keyring’s README.maintainer.

Once your keys are in the packaging key directories, delete all the other keys in active-keys and team-members. Edit the index files so that only your key entry remains. Then resign the index by running jetring-signindex over each folder.

You can also delete all the keys in removed-keys, create an empty index file and sign it with jetring-signindex.

Now if you run `make` it should generate new keyring files only containing your keys.

To complete the package it will need to be renamed. Edit all the debian files, changing every instance of debian-archive-keyring to your-keyring. The changelog, copyright and control files will all need to have portions partially rewritten. The debian-archive-keyring script files in the debian folder will need to be renamed and the debian-archive-keyring instances in the Makefile will all need to be changed.

The generated keyring files must be signed, run
gpg --armor --detach-sign keyrings/your-removed-keys.gpg

Finally invoking `debuild -b -uc -us` should spit out your-keyring_<year>.<month>_all.deb.